This is a message sent to me from Craig Spiezle, Director of Online Security and Safety for Microsoft Internet Explorer, on the topic of Extended Validation SSL certificates. 

It’s a very interesting read being that online fraud is becoming increasingly rampant and this is a great way mitigate much of this risk to consumers.

…

Internet Explorer integrates dynamic Phishing protection and support of the emerging Extended Validation SSL Certificate program, as just two of several investments to help of protect users, their data, their PC and their privacy.

The Microsoft Phishing Filter provides dynamic protection from known phishing sites and blocking nearly 1 million exploits each and every week.  This is an opt-in service that operates in the background and provides an early warning system to notify users of both suspicious websites that could be engaging in identity and data theft, as well as those confirmed to be phishing sites.  By design, user privacy has been at the forefront of this service and verified by third party audits that no personal information is collected by Microsoft or any third party.[1] http://www.jeffersonwells.com/client_audit_reports/Microsoft_PF_IE7_IEToolbarFeature_Privacy_Audit_20060728.pdf It relies on browser-based heuristics to analyze Web pages in real time and warn users about suspicious characteristics as they browse. This client-side technology is combined with dynamically updated information that helps prevent users from interacting with confirmed phishing sites reported to Microsoft by a network of third-party data-provider partners and a community of users who help provide information on potential and confirmed phishing sites.

However, phishers have also been able to obtain ‘valid’ SSL certificates for their spoofed sites.  Looking for that gold padlock icon is important, but without the identity information users can end up sending their personal information to the wrong website.  Historically one way users used to help answer that question was the SSL padlock (the gold lock), which was the only indication of any security whatsoever. While helpful, SSL only means that I have an encrypted connection to someone.  So someone with malicious intent could set up a site that closely copied the look and URL of a legitimate business, get a SSL cert, and try to fool users into giving them sensitive personal information via a phishing or social engineering attack. 

Responding to these threats, the CA/ Browser Forum has developed the new Extended Validation SSL Certificates or EV SSL.  EV SSL leverages proven SSL technology, and adds a new process for vetting the identity of the business that is requesting the certificate, offering an improved level of authentication for securing transactions on their Web sites. Given the standardization and rigorousness of the process used, users can realize a higher level of online trust and confidence.

Internet Explorer 7 is the first browser to fully support EV SSL, and here’s what that looks like (in this instance when visiting www.login.live.com). You will notice that the address bar turns green, to notify users about the available identity information, and the name and country of the business are shown right there on the address bar (here “Microsoft Corporation [US]”). If a user wants to see more information about the company behind a website, he can simply click on the name of the company – the identification popup immediately shows the name and address of said company.

This is great news for Internet users: they now have an easy and reliable way to verify that they are on the correct site, and they don’t have to worry as much about phishing attacks or deceptive website, as long as EV SSL is used. Furthermore, when they are transacting with a new website that uses EV SSL  (say one they found through shopping.msn.com), they can easily identify the company behind the website, which helps them legally pursue their claim if the site doesn’t deliver as promised, helping add an element of accountability to the web. Remember that most sites will use a secure connection (https://, that will show you the green bar if they are using EV SSL), only when you are about to exchange with the sensitive information, such as when you login, or are about to check out your cart. If you wonder about the different colors of the address bar and how to use them in making trust decision, you will find this description of the Internet Explorer 7 Security Status Bar helpful.

Today there are nearly 3,500 sites are now protecting their customers with EV SSLs, including Alaska Airlines, AutoZone, British Airways, eBay, FedEx, PayPal, Microsoft, Royal Doulton, The Body Shop UK, and Travelocity. In addition leading financial services have been quickly adopting worldwide including the Banque National du Canada, Charles Schwab, Deutsche Bank, SunLife, Sovereign Bank, UBS, and Vanguard.   While the Microsoft Phishing Filter and EV SSLs alone will not solve all of the internet’s ills, combined they are important step to protect brands and consumers alike. 

---

[1] Third Party audit preformed by Jefferson Wells.  More information is available at www.microsoft.com/safety/antiphishing

[This is a 3rd party webcast being done by a partner of ours that is very expert in Rights Management.]

Titus Labs Webcast Invitation:
Ensuring Complete Protection of your Microsoft Word Documents

Managing, controlling and retrieving the increased amount of sensitive information in Microsoft Word documents while keeping the information protected is a challenge. Add power to Microsoft Word with user-driven classification labels for documents to protect against inadvertent disclosure or information leakage.

Join us for our upcoming webcast and learn how to successfully classify information and add intelligence with metadata to improve the handling of sensitive Word documents and to:

• Control the flow of information based on pre-defined labels to restrict the viewing, printing, copying or distribution of documents.  
• Give your users a fast, simple, consistent way to classify and label documents based on business value or corporate policy.

Enhance the ability to instantly find and retrieve documents for compliance audits, legal discovery, and information security.

Presenter:
Charlie Pulfer, VP Product Development, Titus Labs

Where and When:
Tuesday January 29th, 2008
11:00am (EST)
Duration: 1 Hour
Registration: Complimentary

Registration:
Register Now!
http://titus08.cmail2.com/l/324974/qiiil4ly/www.titus-labs.com/resources/webcastForm.html

Jeff Jones, Microsoft’s Director of Security Strategy, has posted his "Vista One Year Vulnerability Report" on his blog.  He’s added something he calls the "Patch Event" histograms that helps to basically show:

• An improved Software Development Lifecycle drives the quality of security essentially through the reduction of the need for security patching
• A policy-driven benefit of moving to a monthly patch policy

[Taken from Jeff Jones’ Security Blog]

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.

This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.

The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.

POST: 
http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx

DOWNLOAD:
http://blogs.technet.com/security/attachment/2772991.ashx

On January 10, 2008 NIST’s Cryptographic Module Validation Program (CMVP) listed the Crypto certificates for Microsoft Windows Vista GOLD on their website. (BitLocker listing will follow shortly.)

The certificates can be viewed at, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm#888 through http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm#894 .

List of Modules and their corresponding certificate numbers:

• Boot Manager – Certificate 888
• Winload OS Loader – Certificate 889
• Code Integrity – Certificate 890
• Kernel Mode Security Support Provider Interface – Certificate 891
• Cryptographic Primitives Library – Certificate 892
• Enhanced Cryptographic Provider – Certificate 893
• Enhanced DSS and Diffie-Hellman Cryptographic Provider – Certificate 894

It gives us great pleasure to invite you to the first edition of the WW RFID Solution Days and Partner Expo to be held from February 18-19 @ the Westin in Bellevue, WA.

The event will showcase 14+ breakouts of solutions across verticals being built on BizTalk RFID (a 2 day solution extravaganza!), and will be followed by a 2 day instructor led deep drilldown training session on our RFID platform at the Microsoft campus.

This is a wonderful opportunity for you to gain a deep understanding of the solutions being developed and deployed across different verticals on the Microsoft RFID platform, meet with industry and product team experts, and appreciate the advances that have made in the RFID field in the areas of price, performance, and reliability improvements through the Partner Expo. If you are interested in getting your teams trained on the Microsoft RFID Platform, we will also be hosting a 2 day instructor led deep-drilldown course following the conference, with content aimed at solution developers and architects.

For more information and to register for the event, please visit the event website here.

We look forward to seeing you in February.

Uh oh.  So much for being ‘on call’ at night.  Now there’s a medical deterrent.

Mobiles linked to disturbed sleep
Using a mobile phone before going to bed could stop you getting a decent night’s sleep, research suggests.

The study, funded by mobile phone companies, suggests radiation from the handset can cause insomnia, headaches and confusion. It may also cut our amount of deep sleep – interfering with the body’s ability to refresh itself.  The study was carried out by Sweden’s Karolinska Institute and Wayne State University in the US.

Funded by the Mobile Manufacturers Forum, the scientists studied 35 men and 36 women aged between 18 and 45.

Some were exposed to radiation equivalent to that received when using a mobile phone, others were placed in the same conditions, but given only "sham" exposure.

[More at http://news.bbc.co.uk/1/hi/health/7199659.stm]

Microsoft invites you to an exclusive FREE training opportunity

Accelerated SQL Server 2005 for Experienced Oracle DBAs
Thursday, February 21 – Friday, February 22, 2008

This 2-day instructor-led course is designed to teach Oracle DBAs how to leverage their skills and experience as an Oracle DBA to manage a SQL Server system. This course provides a quick start for the Oracle DBA to map, compare and contrast the realm of Oracle database management to SQL Server database management.

As a valued customer, we would like to offer you this training course at no cost to your organization. This event has limited seats available so please register now.  

What is a hands-on-lab?
This isn’t your typical IT class. This hands-on lab is for experienced IT Pros who want to "try it out." You’ll spend most of the day getting hands-on practice and experience with the new product features and scenarios in your own lab environment with very little instructor presentation.

Who should attend?
This course is intended for experienced database professionals currently implementing and administering non Microsoft enterprise database management systems who need to expand their database skill-set to SQL Server 2005.

Course Modules

• Module 1: Database and Instance
• Module 2: Database Architecture
• Module 3: Instance Architecture
• Module 4: Data Objects
• Module 5: Data Access
• Module 6: Data Protection
• Module 7: Basic Administration

Location
Quickstart Intelligence – Irvine
16815 Von Karman Avenue
Suite 100
Irvine, CA 92606
Phone: 949-486-1351

Date
Feb 21 – Feb 22, 2008
9:00 am – 5:00 pm

RSVP/Registration:
Please note that only specifically invited Enterprise customers that have registered will be admitted due to limited capacity.  If you are interested in participating, please contact me for registration information, code, and Internet link.

In conjunction with Lotusphere this week, Microsoft released a feature story about Notes migration on PressPass:

Microsoft Courts Lotus Switchers with New Migration Tools
Microsoft Corporate Vice President Chris Capossela outlines new resources designed to help customers transition to Microsoft’s unified communications and collaboration (UC&C) platform and the impact this business is having on the company’s bottom line.
http://www.microsoft.com/presspass/features/2008/jan08/01-20ucc.mspx.

Here’s a quote from Chris Capossela who mentions some figures publicly around the success we’ve been having winning Notes customers over to the Microsoft collaboration & communications platform:

“Today, more than 80 percent of the Fortune 100 companies deploy Exchange Server as their primary e-mail and calendaring solution.  Much of the new growth is coming from customers switching from Notes and Domino. In the last six months of 2007, in the enterprise customer segment alone, more than 300 firms representing 2.8 million people began the move to Exchange Server, Office SharePoint Server and the Office suite. That’s a 164 percent increase over the same period in 2006 and includes companies like Colliers, Garudafoods, Kordsa Global, Siemens and Westinghouse. We’re already on track to exceed these numbers in 2008.”

–Chris Capossela, Corporate VP, Microsoft Business Division

The story is getting some good pickup in the press already:

• Internet News – http://www.internetnews.com/ent-news/article.php/3722791
• Computer World – http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058078&intsrc=news_ts_head

Here are a series of whitepapers that IT should read in order to keep up with what’s gone on with Windows Vista Service Pack 1:

Overview of Windows Vista Service Pack 1
This white paper presents an overview of Windows Vista SP1 and the improvements it contains.

Notable Changes in Windows Vista Service Pack 1 Release Candidate
This document provides more detail about the notable changes made to Windows Vista in Service Pack 1 Release Candidate, which were focused on addressing specific reliability, performance, and compatibility issues, supporting new types of hardware, and adding support for several emerging standards.

Enterprise Guidance for Application Compatibility Testing and Windows Vista SP1
This white paper provides enterprise customers guidance for testing applications on the currently available version of Windows Vista and Windows Vista with Service Pack 1.

Windows Vista Online Resource Guide

http://technet.microsoft.com/en-us/windowsvista/default.aspx?wt_svl=10024VH_OS_Vista1&mg_id=10024VHb1

… your pointer to all resources on Windows Vista!

IT security is everybody’s business. Every day, adversaries are attempting to invade your networks and access your servers to bring them down, infect them with viruses, or steal information about your customers or employees. Attacks come from all directions: from onsite employee visits to Web sites infected with malware, to offsite employee connections through VPNs, branch office network connections to corporate servers, or direct assaults on vulnerable computers or servers in your network.

You know first hand how essential your servers are to keeping your organization up and running. The data they house and the services they provide are your organization’s lifeblood. It’s your job to stand guard over these essential assets, and to prevent them from going down, or falling victim to attacks from outside and inside your organization.

Windows Server® 2008 is engineered from the ground up with security in mind, delivering an array of new and improved security technologies and features that provide a solid foundation for running and building your business. To help you quickly configure, deploy, and manage the security settings in Windows Server 2008 across your organization, Microsoft is developing the Windows Server 2008 Security Guide. This guidance is designed to further enhance the security of the servers in your organization by taking full advantage of the security features and options in Windows Server 2008.

The team is producing a prescriptive security guide you can rely on that is:

• Proven. Based on field experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the specific steps to success.
• Relevant. Addresses real-world security concerns.
• Supported. Recommendations are fully supported by Microsoft Product Support.

For more information about the beta, visit:
http://www.microsoft.com/technet/security/prodtech/windowsserver2008/default.mspx

To JOIN the beta, visit: 
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=1180&InvitationID=LHSG-DFWK-7BFX&SiteID=14